b' U.S. Department of the Interior\n Office of Inspector General\n\n\n\n\n            AUDIT REPORT\n\n\nIMPLEMENTATION OF RECOMMENDATIONS\nFOR IMPROVING GENERAL CONTROLS OVER\n THE AUTOMATED INFORMATION SYSTEM,\n   ROYALTY MANAGEMENT PROGRAM,\n    MINERALS MANAGEMENT SERVICE\n\n              REPORT NO. 99-I-628\n                  JULY 1999\n\x0c                                                                     A-IN-MMS-001-98-M .\n\n\n             United States Department of the Interior\n                           OFFICE OF INSPECTOR GENERAL\n                                   Washington, DC. 20240\n\n\n\n\n                                                           JUL - 9 1999\n\n\n                                 AUDIT REPORT\nMemorandum\n\nTo:        Assistant Secretary Land and Minerals Management\n\nFrom:      Robert J. Williams\n           Assistant Inspector\n\nSubject:   Audit Report on Implementation of Recommendations for Improving General\n           Controls Over the Automated Information System, Royalty Management\n           Program, Minerals Management Service (No. 99-I-628 1\n\n                                 INTRODUCTION\nThis report presents the results of our audit of implementation of the recommendations\ncontained in our March 1998 audit report titled \xe2\x80\x9cGeneral Controls Over the Automated\nInformation System, Royalty Management Program, Minerals Management Service\xe2\x80\x9d\n(No. 98-I-336). The objective of our current audit was to determine whether the Minerals\nManagement Service\xe2\x80\x99s Royalty Management Program satisfactorily implemented the\nrecommendations made in our March 1998 report and whether any new recommendations\nwere warranted. This audit supports the Office of Inspector General\xe2\x80\x99s opinion on the\nfinancial statements of the Minerals Management Service by evaluating the reliability of the\ngeneral controls over computer-generated data that support the Royalty Management\nProgram\xe2\x80\x99s portion of the financial statements.\n\nBACKGROUND\n\nThe Minerals Management Service\xe2\x80\x99s Royalty Management Program is responsible for\ncollecting and disbursing revenues of about $4 billion annually that are generated from\nleasing Federal and Indian lands and for collecting royalties on minerals extracted from\nleased lands. To aid in accomplishing its mission objectives and meeting its financial\nreporting requirements, the Program uses an automated information system that includes a\nmainframe computer, a minicomputer, and personal computers and servers which support\n\x0can enterprisewide network. \xe2\x80\x99 For collecting rents and royalties, the Program uses primarily\nthe mainframe computer. For disbursing rents and royalties, verifying collections, and\nreporting financial information, the Program uses all of the components of its automated\ninformation system. The Program\xe2\x80\x99s automated information system was operated and\nmaintained by a contractor.\n\nOverall system security policies for the Program are established by the Installation\nInformation Technology Security Manager, within the Program\xe2\x80\x99s Systems Management \xe2\x80\x99\nDivision. The contractor is responsible for providing system security administration for the\nmainframe computer, the minicomputers, and the enterprisewide network.\n\nSCOPE OF AUDIT\n\nThis audit was conducted during September through November 1998 at the Royalty\nManagement Program\xe2\x80\x99s Systems Management Division, located in Lakewood, Colorado.\nThe scope of our audit included an evaluation of the actions taken by Program management\nto implement the 23 recommendations made in our March 1998 report and reviews of the\ngeneral controls in place during fiscal year 1998. To accomplish our objective, we\ninterviewed Program and contractor personnel, reviewed system documentation, and\nreviewed and tested implementation of the recommendations contained in the March 1998\nreport.\n\nThe audit was conducted in accordance with the \xe2\x80\x9cGovernment Auditing Standards,\xe2\x80\x9d issued\nby the Comptroller General of the United States. Accordingly, we included such tests of\nrecords and other auditing procedures that were considered necessary under the\ncircumstances.\n\nAs part of our audit, we evaluated the Program\xe2\x80\x99s general controls over its automated\ninformation system that could adversely affect the data processing environment. Because\nof inherent limitations in any system of internal controls, losses, noncompliance, or\nmisstatements may occur and not be detected. We also caution that projecting our\nevaluations to future periods is subject to the risk that controls or the degree of compliance\nwith the controls may diminish.\n\n                                   RESULTS OF AUDIT\nRegarding the March 1998 report\xe2\x80\x99s 23 recommendations, we found that the Royalty\nManagement Program had satisfactorily implemented 20 recommendations. Three\nrecommendations (Nos. D. 1, D.2, and G. 1) were considered resolved but not implemented\nbased on actions to be taken by the Program. Appendix 2 lists all of the prior report\xe2\x80\x99s\n\n\n\n\xe2\x80\x99 Servers are computers that provide senices to client computers on a network. Enterprisewide networks are\nnetworks that result when all the networks in a single organization are connected. (Jerry Fitzgerald and Alan   .\nDennis, Business Data Communications and Networking, 5th edition, John Wiley & Sons, Inc., 1996.)\n\n                                                      2\n\x0crecommendations, the status of the recommendations, and actions taken to implement the\nrecommendations. The actions taken on the recommendations have improved the general\ncontrols in the areas of security program, access controls, software development and change\nmanagement, separation of duties, system software controls. and service continuity.\n\nTo further strengthen the general controls, we found that improvements were needed in the\nareas of access controls, security planning, and continuity of operations. Office of\nManagement and Budget circulars and National Institute of Standards and Technology\npublications require Federal agencies to establish and implement computer security and\nmanagement and internal controls to improve the protection of sensitive information in the\ncomputer systems of executive branch agencies. Program management did not ensure that\n(1) computer security training was received by employees and contractor personnel and\naccess to computer processing was limited, (2) security plans were updated appropriately,\nand (3) disaster recovery plans were developed in compliance with established criteria. As\na result, there was an increased risk of (1) unauthorized access to, modification of, and\ndisclosure of sensitive data; (2) ineffective security planning; and (3) loss of system\navailability.\n\nOverall, we identified four weaknesses and made four new recommendations for improving\ngeneral controls at the Program. We do not consider these weaknesses to be a material\nweakness under provisions of the Federal Managers\xe2\x80\x99 Financial Integrity Act. A summary\nof the weaknesses in the areas of access controls, security planning, and continuity of\noperations is provided in the paragraphs that follow, and the weaknesses and our respective\nrecommendations are detailed in Appendix 1.\n\nAccess Controls\n\nWe found weaknesses in access controls over the Program\xe2\x80\x99s automated information system.\nThese weaknesses were in the areas ofcomputer security training and logical access controls\nover computer processing. As a result, there was an increased risk that proprietary data\nmaintained on the automated information system were vulnerable to unauthorized disclosure\nand manipulation, as well as an increased risk of disruption of service to users. We made\ntwo recommendations to address these weaknesses.\n\nSecurity Planning\n\nWe found a weakness in the development and maintenance of security plans for sensitive\nsystems. As a result, the security plans in place did not ensure that controls were established\nto protect information processed, transmitted, or stored in the general support system,2 and\nthere was an increased risk that the most appropriate and effective controls would not be\n\n\n\xe2\x80\x98Office ofManagement and Budget Circular A- 130, Appendix III, \xe2\x80\x9cSecurity ofFederal Automated Information\nResources,\xe2\x80\x9d defines a general support system or system to mean \xe2\x80\x9can interconnected set of information\nresources under the same direct management control which shares common functionality. A system normally\nincludes hardware, sofhvare, information. data. applications, communications, and people.\xe2\x80\x9d\n\n                                                   3\n\x0cidentified and implemented by the Program. We made one recommendation to address this\nweakness.\n\nContinuity of Operations\n\nWe found that the communication networks, which n-ere part of the Program\xe2\x80\x99s general\nsupport system, were not included in the Program\xe2\x80\x99s disaster recovery plans. As a result,\nthere was an increased risk that the communication nenvorks may not be recovered in the\nevent of a disaster. We made one recommendation to address this weakness.\n\nMinerals Management Service Response and Office of Inspector General\nReply\nIn the May 25, 1999, response (Appendix 3) to our draft report from the Director, Minerals\nManagement Service, the Service concurred with the four recommendations. Based on the\nresponse, we consider Recommendations A.1 and B.l resolved and implemented and\nRecommendations C. 1 and D.l resolved but not implemented. Accordingly, the\nunimplemented recommendations will be referred to the Assistant Secretary for Policy,\nManagement and Budget for tracking of implementation (see Appendix 4).\n\nRegarding our March 1998 report, the Service, in its May 1998 response, concurred with our\nclassification of the prior recommendations, and we considered 20 of the 23\nrecommendations resolved and implemented and the remaining 3 recommendations\n(Nos. D. 1, D.2, and G. 1) resolved but not implemented. Accordingly, updated information\non the status of the three prior unimplemented recommendations will be forwarded to the\nAssistant Secretary for Policy, Management and Budget (see Appendix 5).\n\nSince the recommendations contained in this report are considered resolved, no further\nresponse to the Office of Inspector General is required (see Appendix 4).\n\nThe legislation, as amended, creating the Office of Inspector General requires semiannual\nreporting to the Congress on all audit reports issued. actions taken to implement audit\nrecommendations, and identification of each significant recommendation on which corrective\naction has not been taken.\n\nWe appreciate the assistance of Service personnel in the conduct of our audit.\n\n\n\n\n                                            4\n\x0c                                                                               APPENDIX 1\n                                                                                Page 1 of 6\n\nDETAILS OF WEAKNESSES AND RECOMMENDATIONS\n\nACCESS CONTROLS\n\nA. Computer Security Training\nCondition:     The Program\xe2\x80\x99s policy that required periodic computer security training of\n               employees and contractor personnel to reduce the risk of disclosure of\n               proprietary data had not been effectively implemented. We statistically\n               tested 49 of the 717 employees who had access to the server component of\n               the automated information system. We found that 28 of the 49 employees\n               had not received periodic training in the protection of proprietary data. From\n               our test results, we projected that of the 717 employees, 410 employees had\n               not been trained recently in the protection of proprietary data. In addition,\n               Program management did not ensure that contractor personnel received such _\n               training.\n\nCriteria:      The Program\xe2\x80\x99s policy regarding data protection states that the Royalty\n               Management Program will \xe2\x80\x9crely on employee training, clearances, and\n               physical controls as its primary means ofprotecting proprietary information.\xe2\x80\x9d\n               This policy also states that \xe2\x80\x9call employees and contractors are required to\n               protect proprietary information and receive periodic training regarding the\n               protection of proprietary information.\xe2\x80\x9d\n\nCause:         There were no controls in place to ensure that employees and contractor\n               personnel received the training specified by Program policy.\n\nEffect: \xe2\x80\x99      Since training was one of the Program\xe2\x80\x99s primary controls to protect against\n               disclosure of proprietary data and this control had not been effectively\n               implemented, there was an increased risk of unauthorized disclosure of\n               proprietary data.\n\nRecommendation:\n\nWe recommend that the Director, Minerals Management Service, implement procedures to\nensure that all employees and contractor personnel receive periodic training on the protection\nof proprietary data as defined by Program policy.\n\n\n\n\n                                              5\n\x0c                                                                                            APPENDIX 1\n                                                                                              Page 2 of 6\n\nACCESS CONTROLS\n\nB. Access Controls Over Computer Processing\n\nCondition:        Access controls over the processing performed on the mainframe computer\n                  were inadequate. Specifically, we identified 171 individuals who had update\n                  access to the emergency libraries. \xe2\x80\x99 Emergency libraries can contain changes *\n                  to the production application programs that are used to process data to\n                  determine the distribution of royalties. By running a program from the\n                  emergency library, change control procedures are bypassed, and the risk is\n                  increased that an inappropriate program would be run which could adversely\n                  affect the Program\xe2\x80\x99s data.\n\nCriteria:         Office of Management and Budget Circular A-130, Appendix III, \xe2\x80\x9cSecurity\n                  ofFederal Automated Information Resources,\xe2\x80\x9d requires agencies to establish\n                  controls to ensure adequate security for all information processed,\n                  transmitted, or stored in Federal automated information systems. The\n                  Circular also requires agencies to implement and maintain a program to\n                  ensure that adequate security is provided for all agency information collected,\n                  processed, transmitted, stored, or disseminated in general support systems\n                  and major applications. The Circular further defines \xe2\x80\x9cadequate security\xe2\x80\x9d as\n                  \xe2\x80\x9csecurity commensurate with the risk and the magnitude ofthe harm resulting\n                  from the loss, misuse, or unauthorized access to or modification of\n                  information.\xe2\x80\x9d In addition, the current Program policy addressing data\n                  protection states that the Program \xe2\x80\x9capplies the concept of \xe2\x80\x98least privilege\xe2\x80\x99 to .\n                  protect the integrity of official records. Only those persons with the\n                  responsibility for adding, deleting, or modifying records are given update\n                  privileges.\xe2\x80\x9d\n\nCause:            Program security administration personnel had established a group within the\n                  mainframe computer security software that included all Time Sharing Option\xe2\x80\x99\n                  (TSO) users and had given this group update access to the emergency\n\n\n\xe2\x80\x9c\xe2\x80\x98A library is a collection of programs or data files for a particular purpose.\xe2\x80\x9d (Alan Freedman, The Commuter\nGlossary, 4th edition. AMACOM Division of the American ,Management Association, 1989, p. 401.)\n\n2Time Sharing Option is a software \xe2\x80\x9cthat provides interactive communications for IBM\xe2\x80\x99s MVS [Multiple\nVirtual Storage] operating system. It allows a user or programmer to launch an application from a terminal\nand interactively work with it.\xe2\x80\x9d MVS is the operating system used on IBM mainframes. \xe2\x80\x9cMVS is a batch\nprocessing-oriented operating system that manages large amounts of memory and disk space. Online\noperations are provided with CICS [Customer Information Control System], TSO and other system software.\xe2\x80\x9d\n(Computer Desktop Encyclopedia, Version 9.4, 4th quarter, 1996, The Computer Language Company, Inc.)\n\n                                                      6\n\x0c                                                                                        APPENDIX 1\n                                                                                          Page3of6 .\n\nACCESS CONTROLS\n\n                 libraries, even though all users with access to TSO were not authorized to\n                 perform updates to the emergency libraries. Although Program management\n                 relied on reviews by personnel responsible for managing changes and updates\n                 to the emergency libraries to detect any inappropriate activities, we believe\n                 that a more effective control would have been to reduce the possibility of\n                 inappropriate activities by limiting access.\n\nEffect:          There was an increased risk that unauthorized changes to the mainframe\n                 applications in the production environment could occur, which could result\n                                        3\n                 in possible corruption and loss of data, as well as disruption of service to\n                 users. However, during our fieldwork, the Program eliminated the update\n                 access to the emergency libraries that was provided to all TSO users.\n\nRecommendation:\n\nWe recommend that the Director, Minerals Management Service, establish policies and\nprocedures to ensure that default accesses established in the automated information system\nprovide access only to authorized users requiring such access.\n\n\n\n\n\xe2\x80\x98Corruption is the unauthorized altering of data or programs resulting in erroneous software logic. (Alan\nFreedman, The Computer Glossary, 4th edition, AMACOM Division of the American Management\nAssociation, 1989, p. 159.)\n\x0c                                                                             APPENDIX 1\n                                                                               Page 4 of 6\n\nSECURITY PLANNING\n\nC. Security Plans\n\nCondition:   The security plans for sensitive systems referred to in the Program\xe2\x80\x99s\n             \xe2\x80\x9cAutomated Information Systems Security Plan,\xe2\x80\x9d dated January 1998, did not\n             reflect the current information technology environment at the Program.\n             Specifically, the \xe2\x80\x9cIBM Security Plan\xe2\x80\x9d and the \xe2\x80\x9cDECNAX [Digital .\n             Equipment Corporation/Virtual Address Extension] Security Plan\xe2\x80\x9d were\n             dated 1996. The IBM plan did not reflect the hardware platform that was\n             implemented in 1997. Further, both of the plans identified the Outer\n             Continental Shelf Information System (OCSIS) as a source of production\n             information, but OCSIS had been replaced by the Technical Information\n             Management System. Also, the \xe2\x80\x9cRMP Desktop 1997 Security Plan\xe2\x80\x9d\n             identified the Resource Access Control Facility (RACF) and the System\n             Management Facility (SMF) as the audit and variance detection controls in\n             place. However, both RACF and SMF were in place on the mainframe, but\n             the Royalty Management (RMP) Desktop application was a client/server\n             system, that used different audit and variance detection controls.\n\nCriteria:    The Computer Security Act of 1987 requires the development of a security\n             plan for each Federal computer system that contains sensitive information.\n             The Act further states, \xe2\x80\x9cSuch plan shall be revised annually as necessary.\xe2\x80\x9d\n             Office of Management and Budget Circular A-130, Appendix III, \xe2\x80\x9cSecurity\n             of Federal Automated Information Resources,\xe2\x80\x9d requires that security plans\n             be developed for each general support system. In addition, the Departmental\n             Manual (375 DM 19) requires that security plans be prepared for new or \xe2\x80\x99\n             significantly changed systems.\n\nCause:       Program management updated only the plans that were referred to in the\n             Program\xe2\x80\x99s \xe2\x80\x9cAutomated Information Systems Security Plan\xe2\x80\x9d every 3 years\n             regardless of whether changes had occurred. In addition, Program\n             management did not ensure that the Program\xe2\x80\x99s security plans accurately\n             reflected the security controls of the Program\xe2\x80\x99s sensitive systems\n             components.\n\nEffect:      Security plans for the Program did not ensure that controls were established\n             to protect information processed, transmitted, or stored in the general support\n             system, and there was an increased risk that the most appropriate and\n             effective general controls would not be identified and implemented by the\n             Program. During our fieldwork, Program security management revised the\n\x0c                                                                              APPENDIX 1\n                                                                                Page 5 of 6\n\n\nSECURITY PLANNING\n\n               IBM plan, \xe2\x80\x9cMainframe - 1998 Security Plan,\xe2\x80\x9d to reflect the current\n               mainframe environment.\n\nRecommendation:\n\nWe recommend that the Director, Minerals Management Service, ensure that security plans\nwhich are referred to in the Program\xe2\x80\x99s annual \xe2\x80\x9cAutomated Information System Security\nPlan\xe2\x80\x9d accurately reflect the controls in place and are updated to reflect significant changes\nto the current information technology environment.\n\n\n\n\n                                             9\n\x0c                                                                            APPENDIX 1\n                                                                              Page 6 of 6\n\nCONTINUITY OF OPERATIONS\n\nD. Disaster Recovery Plans\n\nCondition:    Communication networks, which are part of the Program\xe2\x80\x99s general support\n              system, used by the Program\xe2\x80\x99s divisions that maintain proprietary and\n              financial data were not included in the Program\xe2\x80\x99s disaster recovery plans.\n\nCriteria:    Office of Management and Budget Circular A- 130 requires that the security\n             plan for a general support system address continuity of operations. The .\n             Circular states, \xe2\x80\x9cAgency plans should assure that there is an ability to recover\n             and provide service sufficient to meet the minimal needs of users of the\n             system. Manual procedures are generally NOT a viable back-up option.\xe2\x80\x9d\n\nCause:       Program management had not completed the Program\xe2\x80\x99s disaster recovery\n             plan for its communication network environment.\n\nEffect:       If the disaster recovery plans are incomplete because components of the\n              general support system are not included, personnel required to perform the\n              disaster recovery procedures may not be able to recover critical systems in\n              the event of a disaster or a system failure.\n\nRecommendation:\n\nWe recommend that the Director, Minerals Management Service, ensure that disaster\nrecovery plans are developed for the general support system, including communication\nnetworks necessary to maintain Program operations.\n\n\n\n\n                                           10\n\x0c                                                                                    APPENDIX 2\n                                                                                     Page 1 of 8\n\n            SUMMARY OF RECOMMENDATIONS AND\n           CORRECTIVE ACTIONS FOR AUDIT REPORT\n               \xe2\x80\x9cGENERAL CONTROLS OVER THE\n             AUTOMATED INFORMATION SYSTEM,\n              ROYALTY MANAGEMENT PROGRAM,\n         MINERALS MANAGEMENT SERVICE\xe2\x80\x9d (No. 98-I-336)\n                                                            Status of Recommendations\n             Recommendations                                  and Corrective Actions\n\n\nA. 1. Ensure that risk assessments are               Implemented. We found that the Royalty\nconducted in accordance with guidelines              Management Program had implemented an\nwhich recommend that risk assessments                enhanced risk assessment process which\nsupport the acceptance of risk and the               should identifjl the significant risks\nselection of appropriate controls.                   affecting the Program\xe2\x80\x99s automated\nSpecifically, the assessments should                 information system, identify controls\naddress significant risks affecting systems,         implemented to mitigate those risks, and\nappropriately identify controls                      formalize the acceptance of the residual    .\nimplemented to mitigate those risks, and             risk. We believe that establishment of this\nformalize the acceptance of the residual             process meets the intent of the\nrisk.                                                recommendation.\n\nA.2. Formally assign and communicate                 Implemented. The Program had\nresponsibility to local area network                 centralized the administration of its\nadministrators to participate in risk                networks and established a team to ensure\nassessments and ensure compliance with               compliance with the Program\xe2\x80\x99s policy\nthe Program\xe2\x80\x99s security policy.                       regarding risk assessments.\n\nA.3. Determine the risks associated with             Implemented. The Program had performed\nlocal area network applications and                  an assessment of risks related to proprietary\npersonal computer databases which contain            data and its official financial records. As a\nproprietary and financial data and, based on         result of the assessment, the official records\nthe results of the risk assessments, establish       had been moved from personal computer\nappropriate security policies and                    databases to networks. Therefore, the\nprocedures.                                          proprietary and official financial records\n                                                     are subject to the controls established for\n                                                     the networks.\n\n\n\n\n                                                 1\n\x0c                                                                                  APPENDIX 2\n                                                                                    Page 2 of 8\n\n\n                                                           Status of Recommendations\n             Recommendations                                 and Corrective Actions\n\n\nB. 1. Evaluate Systems Management                   Implemented. The Program had evaluated\nDivision and contractor automated data              Systems Management Division and\nprocessing (ADP) positions to determine             contractor ADP positions to determine\nposition sensitivity in relation to risk and        position sensitivity in relation to risk and\nADP factors. Also, assurance should be              ADP factors. Through the evaluation\nprovided that automated information                 process, the sensitivity levels of Systems     ,\nsystem work is technically reviewed by              Management Division management and\npersons whose position sensitivity levels           supervisory positions and contractor\nare greater than the position sensitivity           management positions were increased.\nlevels of the employees who are\nperforming the work.\n\n\n\n\n                                               12\n\x0c                                                                                 APPENDIX 2\n                                                                                   Page 3 of 8\n\n\n                                                          Status of Recommendations                 .\n            Recommendations                                 and Corrective Actions\n\n\nB.2. Establish controls to ensure that the         Implemented. A process was implemented\ncontractor is fulfilling its contractual           in which the contractor provided a report\nobligation of submitting requests for              containing the names of newly hired\nbackground checks within the specified             personnel working on the Program\xe2\x80\x99s\ntime frame and that contractor employees           contract, along with the submission status\nwho are in probationary status and awaiting        of the background check documentation.\nsecurity clearances are not performing             This report was used by the Program\xe2\x80\x99s\ncritical ADP work.                                 security management and the Minerals\n                                                   Management Service\xe2\x80\x99s Personnel Division\n                                                   to ensure compliance with contract\n                                                   requirements regarding the submission of\n                                                   background check documentation. Also,\n                                                   the Program approved the contractor\xe2\x80\x99s\n                                                   implementation of a \xe2\x80\x9cpre-employment/pre-\n                                                   assignment screening\xe2\x80\x9d process. This\n                                                   process, which includes a criminal history   .\n                                                   review, credit check, and a driving history\n                                                   check, provides assurance to the Program\n                                                   that the contractor\xe2\x80\x99s potential employees\n                                                   would receive the appropriate security\n                                                   clearance. This procedure was\n                                                   implemented in lieu of not allowing\n                                                   contractor employees who are on\n                                                   probationary status and awaiting their\n                                                   security clearances to perform critical ADP\n                                                   work because the time required to obtain a\n                                                   security clearance is not cost beneficial to\n                                                   the Program. We believe that the\n                                                   contractor\xe2\x80\x99s alternative \xe2\x80\x9cpre-\n                                                   employment/pre-assignment screening\xe2\x80\x9d\n                                                   process meets the intent of the\n                                                   recommendation.\n\n\n\n\n                                              13\n\x0c                                                                                   APPENDIX 2\n                                                                                     Page 4 of 8\n\n\n                                                             Status of Recommendations\n            Recommendations                                    and Corrective Actions\n\n\nB.3. Establish controls to ensure that                Implemented. Program background check\npersonnel or security files accurately reflect        information was being tracked by the\nthat background checks and periodic                   Service\xe2\x80\x99s Personnel Division for Program\nfollowup background checks are performed              and contractor personnel instead of requests\nas required.                                          for background checks being submitted\n                                                      through the Program\xe2\x80\x99s security personnel.\n                                                      In addition, Program management had          .\n                                                      taken action to submit required\n                                                      documentation for periodic followup\n                                                      background checks.\n\nC. 1. Establish controls to enforce Program           Implemented. The controls were\npolicy that requires employees to sign                established and enforced.\nsecurity awareness statements before access\nto system resources is approved by the\nInstallation Automated Information System\nSecurity Officer.\n\nD. 1. Ensure that individual computer                 Resolved; not implemented. Although\nresources are classified based on the level           Program management did not agree with\nof sensitivity associated with each resource.         the recommendation in its response to our\n                                                      March 1998 audit report, we believe that\n                                                      the Program\xe2\x80\x99s risk management process\n                                                      implemented under Recommendation A. 1\n                                                      will require the Program to classify its\n                                                      individual computer resources based on the .\n                                                      level of sensitivity associated with each\n                                                      resource. Therefore, we believe that\n                                                      completion of the revised risk assessments,\n                                                      which the Service said will occur by the\n                                                      end of calendar year 1999 using the new\n                                                      risk management process, will meet the\n                                                      intent of the recommendation.\n\n\n\n\n                                                 14\n\x0c                                                                                   APPENDIX 2\n                                                                                     Page 5 of 8\n\n\n                                                           Status of Recommendations\n            Recommendations                                  and Corrective Actions\n\n\nD.2 Evaluate controls over resources to             Resolved; not implemented. Although\nensure that the access controls have been           Program management did not agree with\nimplemented commensurate with the level             the recommendation in its response to our\nof risk and sensitivity associated with each        March 1998 audit report, we believe that\nresource.                                           the Program\xe2\x80\x99s risk management process\n                                                    being implemented under Recommendation\n                                                    A. 1 will require the Program to evaluate its\n                                                    controls over its resources to ensure that the\n                                                    access controls have been implemented\n                                                    commensurate with the level of risk and\n                                                    sensitivity associated with each resource.\n                                                    Therefore, we believe that completion of\n                                                    the revised risk assessments, which the\n                                                    Service said will occur by the end of\n                                                    calendar year 1999 using the new risk\n                                                    management process, will meet the intent\n                                                    of the recommendation.\n\nE. 1. Implement controls to enforce                 Implemented. Program management\nProgram policy that default user                    issued a memorandum reaffirming the\nidentifications (IDS) and passwords are             Program\xe2\x80\x99s policy, and a procedure\nremoved from the automated information              requiring assurance of deletion/revocation\nsystem when commercial off-the-shelf                of the default password was implemented.\nsoftware is implemented.\n\n\n\n\n                                               15\n\x0c                                                                                  APPENDIX 2\n                                                                                    Page 6 of 8\n\n\n                                                           Status of Recommendations\n            Recommendations                                  and Corrective Actions\n\n\nF. 1. Evaluate the current Program policy           Implemented. The Program evaluated the\nwhich recommends that passwords contain             current policy. As a result of the\na mix of letters and numbers for all                evaluation, the Program implemented a\nautomated information system components.            control within the mainframe environment\nImplement, if the Program determines that           requiring the use of passwords containing a\na mix of letters and numbers should be              mix of letters and numbers.\nrequired, the security software option\nwithin RACF (Resource Access Control\nFacility) that would enforce this\nrequirement. If the Program determines\nthat a mix of letters and numbers is not\nrequired, the risk should be addressed in\nthe risk assessment.\n\nF.2. Develop and implement centralized              Implemented. The Program consolidated\nsecurity administration for the local area          its servers and centralized security\nnetworks used by the Program\xe2\x80\x99s divisions            administration for its local area networks\nthat contain proprietary and financial data.        that contain proprietary or financi& data.\n\nG. 1. Implement controls to ensure that             Partially implemented. The Program made\naccess managers approve all access to their         significant progress in completing its\napplications in accordance with Program             review of user access levels; however, the\npolicy.                                             September 30, 1998, target date for\n                                                    implementation of this recommendation\n                                                    was changed to June 30, 1999.\n\nG.2. Document procedures which require        Implemented. Procedures were\nthat users\xe2\x80\x99 access levels be reviewed         documented, and the Program had begun to \xe2\x80\x99\nperiodically or that employees be             review user access levels cited in\nrecertified to ensure that the levels of      Recommendation G. 1.\naccess granted are appropriate for the duties\nassigned to the users.\n\n\n\n\n                                               16\n\x0c                                                                                   APPENDIX 2\n                                                                                     Page 7 of 8\n\n\n                                                           Status of Recommendations\n            Recommendations                                  and Corrective Actions\n\n\nH. 1. Evaluate the need to deviate from the         Implemented. The Department\xe2\x80\x99s Office of\nDepartment of the Interior standard for the         Information Resources Management\nnumber of unsuccessful log-in attempts. If          provided a waiver to the Program allowing\nthe Program determines that this number             the program to deviate from the standard\nshould remain at five, Program                      pertaining to the number of log-in attempts.\nmanagement should request, from the\nDepartment, a waiver from the standard of\nthree attempts.\n\nI. 1. Enforce procedures for authorizing,           Implemented. The Chief, Systems\napproving, and testing client/server                Management Division, issued a\napplications software before the software is        memorandum reinforcing the established\nmoved into production.                              procedures, and a monitoring officer was\n                                                    designated to ensure compliance with the\n                                                    standards on all new client/server projects.\n\nJ. 1. Implement controls to ensure that             Implemented. Controls were established to\napplication programmers do not have                 provide only temporary access in cases in\naccess to the production client/server              which application programmers need to      .\napplication data or the capability to               access production data and to promptly\nupdate/change these data.                           terminate this access when it is no longer\n                                                    required.\n\n5.2. Improve detection controls by                  Implemented. Procedures were developed\nensuring that management or the                     and implemented requiring periodic\nInstallation Security Officer periodically          reviews of server security logs by security\nreviews server security log files.                  administration personnel.\n\n\nK. 1. Ensure that the upgraded version of           Implemented. The upgraded version of\nRACF is implemented immediately if the              RACF was implemented.\nProgram is granted a waiver from\nconsolidating its mainframe operations\nwith another mainframe operation.\n\n\n\n\n                                               17\n\x0c                                                                                   APPENDIX 2\n                                                                                     Page 8 of 8\n\n\n                                                            Status of Recommendations\n            Recommendations                                   and Corrective Actions\n\n\nL. 1. Evaluate acquiring system verification         Implemented. The Program completed an             \xe2\x80\x99\nand auditing software.                               evaluation of system verification and audit\n                                                     software and purchased a software tool to\n                                                     be used in its network environment that\n                                                     would include the mainframe.\n\nL.2. Implement the system options to                 Implemented. In fiscal year 1998, the\nrecord activities in the system log                  Program implemented system options to\n(SYSLOG) during the system initialization            record activities in the SYSLOG during the\nprocess and develop and implement                    system initialization process and developed .\nprocedures to ensure that periodic reviews           and implemented procedures requiring\nof the SYSLOG for unauthorized or                    periodic reviews of the SYSLOG for\ninappropriate activities are performed and           unauthorized or inappropriate activities and\nthat unauthorized or inappropriate activities        requiring that such activities be reported to\nare reported to Program management.                  Program management. However, during\n                                                     this audit, we noted that the system logging\n                                                     option was disabled. After we informed\n                                                     Program management of this deficiency,\n                                                     the system logging option was turned back\n                                                     on.\n\nL.3. Evaluate the available System                   Implemented. The Program performed an\nManagement Facility (SMF) record types               evaluation of the record types and\nand implement procedures to ensure that              established procedures requiring periodic\ncritical SMF log files are reviewed                  reviews of those record types that were\nperiodically and that Program management             determined to be critical.\naddresses the problems identified.\n\nM. 1. Update the disaster recovery plans to          Implemented. Program management               .\ninclude all mission-critical systems.                evaluated its systems and determined that\n                                                     only those systems on the mainframe were\n                                                     mission critical. The Program had a\n                                                     disaster recovery plan in place to address\n                                                     mainframe system recovery.\n\n\n\n\n                                                18\n\x0c                                                                                        APPENDIX 4\n\n\n                      United States Department of the Interior\n                                 MINERALSMANAGEMENTSERVICE\n                                          Washington, DC 20240\n\n\n\n\n                                                       1\n\n\n                                            MAY 2-5\xe2\x80\x99 I?99\n\nMemorandum\n\n\n\n\nFrom:\n\n\nSubject:       Offke of Inspector General Draft AuVdit Report, \xe2\x80\x9cImplementation of\n               Recommendations for Improving General Controls Over the Automated\n               Information System, Royalty Management Program, Minerals Management\n               Service\xe2\x80\x9d [A-IN-MkfS-OOl-98OM]\n\nWe appreciate the opportunity to respond to this draft report on our implementation of\nrecommendations to improve the general controls over our automated information system. As\noutlined in your report, we have implemented 20 of the 23 recommendations and are in the\nprocess of implementing the remaining 3 recommendations. We agree with the four additional\nrecommendations in this report and plan to implement them this year.\n\nWe\xe2\x80\x99re sending you our general comments on the audit findings and specific ones on the\nrecommendations.\n\nPlease contact Bettine Montgomery at (202) 208-3976 if you have any further questions.\n\n\n\nAttachment\n\n\n\n\n                                                  19\n\x0c.                                                                                            APPENDIX 4\n    .                                                                                        P a g e 2 of 3\n\n\n\n        * MINERALS MANAGEMENT SERVICE RESPONSE TO DRAFT AUDIT REPORT\n          \xe2\x80\x9cIMPLEMENTATION OF RECOMMENDATIONS FOR IMPROVING GENERAL\n               CONTROLS OVER THE AUTOMATED INFORMATION SYSTEM,\n         ROYALTY MANAGEMENT PROGRAM, MINERALS MANAGEMENT SERVICE\xe2\x80\x9d\n\n    Audit Agency: Office of Inspector General (OIG)\n\n    Audit Number: A-IN-MMS-001-98-M\n\n    We appreciate the opportunity to review this draft report summarizing OIG\xe2\x80\x99s followup on the 23\n    recommendations contained in its March 1998 audit report, \xe2\x80\x9cGeneral Controls Over the\n    Automated Information System, Royalty Management Program, Minerals Management Service.\xe2\x80\x9d\n    We agree with the status shown for those recommendations. Twenty have been implemented,\n    one will be implemented by June 1999, and the other two will be implemented via alternative\n    approaches by the end of this calendar year. As explained in our response to the March 1998\n    report, we do not agree with a number of the adverse conclusions on which the recommendations\n    were based. However, we do agree that our implementation of these recommendations will\n    improve our general controls.\n\n    This draft report presents four additional recommendations to strengthen system access controls,\n    security planning, and continuity of operations. We agree with each of these recommendations\n    and are working to implement them as discussed below.\n\n    Recommendation A 1. Implement procedures to ensure that all employees and contractor\n    personnel receive periodic training on the protection ofproprieta y data as defined by Program\n    policy.\n\n    Agree. The Royalty Management Program (RYMP) has provided annual training in this area, but\n    has not enforced attendance. Because staff turnover has been minimal, we believe most\n    employees are fully aware of the proprietary information protection requirements. Nevertheless,\n    RMP will provide mandatory security training, including training on the protection of proprietary\n    data, during the fall of 1999 and at least biannually thereafter. Procedures to guide this training\n    effort will be in place by June 30, 1999.\n\n    Recommendation B 1. Establish policies and procedures to ensure that default accesses\n    established in the automated information system provide access oniy to authorized users\n    requiring such access.\n\n    Agree. OIG noted that all Time Sharing Option (interactive) users had update access to the\n    \xe2\x80\x9cemergency library\xe2\x80\x9d of programs which could possibly result in unauthorized changes to the\n\n\n                                                    1\n\n\n\n                                                    20\n\x0c.                                                                                              APPENDIX 4\n    .   .                                                                                      Page 3 of 3\n\n\n\n\n        code. Our contractor\xe2\x80\x99 s security personnel have already corrected this problem limiting such\n        access to the few users who need it. Documented policy and procedures will be in place by\n        May 31, 1999.\n\n        Recommendation C 1. Ensure that security plans which are referred to in the Program \xe2\x80\x98s annual\n        Automated Information System Security Plan accurately reflect the controls in place and are\n        updated to reflect significant changes to the current information technology environment.\n\n        Agree. The security plans are being updated concurrently with various ongoing system changes\n        such as conversion of RMP \xe2\x80\x99 s solid minerals production accounting programs to the mainfiarne\n        environment. They will be completed and in place by October 1, 1999.\n\n        Recommendation D 1. Ensure that disaster recovery plans are developedfor the general support\n        system, including communication networks necessary to maintain Program operations.\n\n        Agree. RhP is working with its operations and maintenance contractor to develop such plans\n        which will be in place by September 30, 1999.\n\n        The Chief, Systems Management Division, is responsible for implementing these\n        recommendations.\n\n\n\n\n                                                       2\n\x0c                                                                            APPENDIX 4\n\n       STATUS OF CURRENT AUDIT REPORT RECOMMENDATIONS\n\n      Finding/Recommendation\n              Reference                  Status                    Action Required\n\n\n            A.1 and B.l        Implemented.                 No further action is required.   \xe2\x80\x99\n\n            C.l and D.l        Resolved; not implemented.   No further response to the\n                                                            Office of Inspector General is\n\xe2\x80\x98rc\n                                                            required. The\n                                                            recommendations will be\n                                                            referred to the Assistant\n                                                            Secretary for Policy,\n                                                            Management and Budget for\n                                                            tracking of implementation.\n\n\n\n\n                                              22\n\x0c                                                                           APPENDIX 5\n\n         STATUS OF PRIOR AUDIT REPORT RECOMMENDATIONS\n\n     Finding/Recommendation\n             Reference                  Status                    Action Required\n\n\n     A.1, A.2, A.3, B.l, B.2, Implemented.                 No further action is required.\n     B.3,C.l,E.l,F.l,F.2,G.2,\n     H.l, 1.1, J.l, 5.2, K.l, L.l,\n     L.2, L.3, and M.l\n-.\n     D.-l, D.2, and G.1       Resolved; not implemented.   No further response to the\n                                                           Office of Inspector General is\n                                                           required. The information\n                                                           regarding the status of these\n                                                           recommendations will be\n                                                           provided to the Assistant\n                                                           Secretary for Policy,\n                                                           Management and Budget for\n                                                           tracking of implementation.\n\n\n\n\n                                             23\n\x0c                        ILLEGAL OR WASTEFUL ACTIVITIES\n                            SHOULD BE REPORTED TO\n                       THE OFFICE OF INSPECTOR GENERAL\n\n\n                                      Internet/E-Mail Address\n\n                                           www.oig.doi.gov\n\n\n\n                           Within the Continental United States\n\n     U.S. Department of the Interior                         Our 24-hour\n\xe2\x80\x99    Office of Inspector General                             Telephone HOTLINE\n     1849 C Street, N.W.                                     I-800-424-508 1 or\n     Mail Stop 5341                                          (202) 208-5300\n     Washington, D.C. 20240\n\n                                                             TDD for hearing impaired\n                                                             (202) 208-2420 or\n                                                             1-800-354-0996\n\n\n                          Outside the Continental United States\n\n                                          Caribbean Region\n\n    U.S. Department of the Interior                       (703) 235-9221\n    office of Inspector General\n    Eastern Division - Investigations\n    4040 Fairfax Drive\n    Suite 303\n    Arlington, Virginia 22203\n\n                                        North Pacify Region\n\n    U.S. Department of the Interior                      (671) 647-6060\n    ~ffke of Inspector General\n    North Pacific Region\n    415 Chalan San Antonio\n    Baltej Pavilion, Suite 306\n    Tamming, Guam 96911\n\x0c  :      Toll Free Numbers:\n    m:    I-800-424-5081\n     :    TDD l-800-354-0996       E\n  :                                5\n  :                                5\n  :      FlYVCommercial Numbers:\n           (202) 208-5300\n a,1-     TDD (202) 208-2420       Ec\n\n\na\n:        1849 C Street, N.W.       E\n:        Mail Stop 5341            K\n 3       Washington, D.C. 20240\n :\n :\n :\n :\n :\n :\n :\n:-\n *\n\x0c'